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Topic 

Status 

Remote 

ECHOMOON working on 32/64-bit. Capable of running 
arbitrary payloads. 

Gladius 

Dead sometime in iOS 8 :( 

Kris 

Alive and kicking 

Mini Cooper 

Alive and kicking, MiniMe is a new port address leak based 
on Mini Cooper 

Task_for_Pid AKA get_all_tasks() 

Works as is. 

New el_task_for_pid branch with task_for_pid integrated 
into the framework should the other one go away. New 
el_task_for_pid util in elutil 

SALINE 

• ROP Gadgets for 32 and 64 bit work on iOS 

9. 

• "Frame Inspector" not as accurate anymore 
- using HMGCC's new method of continued 
execution via read(), along with a ROP NOP 
sled to make up for Frame Inspector's 
inaccuracy. 

• Mostly reliable on 32bit, kinda flaky on 64 

bit. 

TODOs: 

• fix up reliability 

• merge HMGCC's MOP updates for fast local 
symbol finding 

SAL 

• Works as is 

• Created POC bidirectional ports in SAL API 
- needs more work / refactoring 

Sandshrew 

• Previous Sandshrew capability modified to 
be a sandbox escape for iOS 6.X. 

Designed to be used with Xiphos. 

• Tested on iPhone4,1 6.1 .3 

Grist 

• JETSAM killing us - workaround is to 
override an existing binary with a high 
jetsam limit or launch via dhcpd.conf. 

• Alternate method: Use dhcpd to launch & 
persist. Copy /usr/libexec/dhcpd 

to /sbin/mount_nfs, which is launched at 
boot or if lanchctl'ed. dhcpd has an 
undocumented feature where it will respect 
an 'execute' command in /etc/d hcpd.conf. In 
the dhcpd.conf file put 
'execute("/System/Library/Frameworks/Java 
ScriptCore.framework/Resources/jsc", 

" PATH_T 0_G R 1 ST" , "ARGS_TO_PASS");'. 

End-To-End Discussion 

• Don't attempt to store data in Effaceable 
storage : ) 

• Device-specific key information: 

• EMF Filesystem key - read 
from Effaceable storage 

• Partition UUID - read from 

lOReg output 

• Fairplay GUID - read from 
lockdown / 'mdf dev get' 

• IMEI - read from lockdown / 
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gestalt 

• Generate random bytes on 
install, stored in extended 
attribute 

• Fairplay encryption - Since there's a fairplay 
certificate on the device, an educated guess 
is that Apple encrypts Apps when submitted 
with their private key, and is decrypted on 
device with the public key - so no easy way 
to get our code encrypted by Apple. 

• Store device information(not the actual key) 
in NVRAM 

• Perform PBKDF2, 10K rounds?, with device 
info as input - keep generated key ONLY IN 
MEMORY, NEVER WRITTEN 
ANYWHERE, NOT EVEN ONCE. 

TODOs: 

• Find a way to get a 'next boot' value - that 
way, the key generated is only good for the 
next boot, and any subsequent boots make 
it impossible to decrypt 

• Store data in better places - hidden 
partition, hidden '/0/0/0Apple HFS Data' 
directory 


Xiphos 

• Ported to iOS 6.X, tested on iPhone4,1 

6.1.3 

Symdra 

• Added support for iOS 6.X. Need to test 
against targets other than iPhone4,1 6.1 .3. 
_kernel_map* symbols not currently being 

located. 


